skip to main content

Privacy & Security Tips

May, 2025

Using AI in Your Practice: Meeting Regulatory Standards

When integrating AI tools into your practice, it is important to ensure patient data is protected and that your vendor maintains the standards of privacy and security required by PHIPA and other privacy laws. As you may be aware, Ontario's AI Scribe Program and its Vendor of Record approach is coming soon. It will help support your AI scribe adoption process and compliance obligations. In the interim, if you conduct trials of different AI scribe solutions, consider these steps:

  • Choose PHIPA-Compliant Tools: Choose tools from AI vendors that comply with PHIPA and PIPEDA, and that include security measures to protect PHI, and limit data use to authorized purposes. Ask vendors to provide proof of their compliance and data handling protocols. The Ontario AI scribe VOR Program has already done this for you. Check out the OMD Practice Hub for more information.
  • Obtain Valid Consent: PHIPA requires informed, valid consent from patients before you use an AI scribe for the first time. Download OMD's Patient Consent Toolkit to learn more and simplify this process.
  • Research and Implement Security & Privacy Safeguards: PHIPA requires reasonable security safeguards to protect PHI against unauthorized access, use, disclosure, or destruction. Confirm your chosen AI scribe includes encryption (for data at rest and in transit), access logs, and regular security updates. Some vendors' tools may have certifications (e.g., SOC 2, ISO 27001), which can help demonstrate adherence to more industry recognized cybersecurity standards.
  • Ensure the Vendor Performs Regular Audits: Regular audits can help verify AI tools remain compliant with appropriate privacy laws. Audits may include reviewing access logs, checking for unauthorized access, assessing and reviewing data storage practices, and identifying any non-compliance in vendor operations.
  • Ensure  Vendors have Clear Data Retention and Disposal Policies: PHIPA specifies how long PHI should be retained, requiring records to be accessible as long as necessary for the patient's recourse under PHIPA. Your vendor should establish very short retention limits for AI-generated data and enforce secure disposal practices to prevent unauthorized access post-termination. 

By following these tips, and learning more on our Practice Hub's Legal & Privacy Page, you can take a strong, proactive approach to PHIPA compliance to protect patient data and maintain integrated privacy and security when adopting AI tools into your practice!

Read additional guidance from the College of Physicians and Surgeons of Ontario on the use of AI scribes in clinical practice.